Killing SSL SHA-1 Certificates And Making The Web A Safer Place

Recently PayPal has sent emails to many of its users informing them that SSL upgrades will be performed on their servers and SHA-1 certificates will be upgraded to SHA-256. Some people got confused what they should do when receiving these emails, as the mail that PayPal sent and the blog post they shared, giving more details to the users contain very technical information. Hence, we would like to explain to our customers how end users will be affected from the changes that PayPal makes and what they have to do.

WHAT IS THIS SHA-1/SHA-256?

SHA-1 is a cryptographic hash algorithm which is used for signing SSL certificates. It is supposed to generate a unique slug, so no one could engineer a certificate that a web browser would find indistinguishable from the real certificate. In other words, the SHA-1 algorithm should ensure that all SSLs are unique and they have been issued by a trusted Certificate Authority.

Unfortunately, the SHA-1 algorithm is very old and during the last 10 years many research papers have proven that it is possible to crack it. In 2012 Jesse Walker estimated the cost of forging a SHA-1 certificate. According to his research which was made 3 years ago it will cost just $173K for someone to forge a SHA-1 certificate in 2018. We know that for small personal sites this is a lot of money but computers are becoming faster and faster and I am sure that several years from now it will cost literally pennies to forge SHA-1 certificates. Thus, SHA-1 certificates have to go. The thing is that there is no easy way to automatically replace all SSL certificates on the Internet and also upgrade all systems to support newer cryptographic hash algorithms so end users have to take actions.

The surest sign that SHA-1 will soon be history is that all major web browser will distrust SHA-1 SSL certificates after 2016. Google announced just two weeks ago that the Chrome browser would show warnings to all users immediately after a SHA-1 SSL enabled site is opened. We strongly encourage all browsers to do the same and inform users that SHA-1 websites are not well protected. This is the only way to have all SSL certificates upgraded sooner than later and avoid security attacks that could affect many users.

WHAT DID SITEGROUND DO TO PROTECT ITS USERS?

We also believe that SHA-1 should be deprecated as soon as possible. That is why we have been preparing for its removal for the last 2 years. Currently all SSL certificates issues by SiteGround use SHA-256. All SSL renewals have also been upgraded and old certificates will be replaced with SHA-256 ones. In addition, we upgraded the OpenSSL on our servers and it supports SHA-256.

When PayPal announced that they will upgrade their SSL certificates we tested the most popular e-commerce platforms to make sure that users on our server will not experience issues. We are glad to announce that our hosting platform will work with PayPal integrations after the SSL upgrades scheduled by PayPal in the end of September 2015.

WHAT TO DO IF YOU ARE NOT USING SITEGROUND SERVICES?

If you are not hosted on SiteGround servers and you wonder what to do on your end you can follow the steps below to make sure that you are prepared for the sunsetting of SHA-1:

1. Test your SSL at https://shaaaaaaaaaaaaa.com/ If you see an error then contact your SSL provider and ask them to reissue the SSL.
2. Check your server and make sure that your OpenSSL is at least version 0.9.8o. To check the OpenSSL version you can use a PHP phpinfo script. If you are hosted on a shared server you’ll not have access to upgrade the OpenSSL. Just contact your system administrators and ask them to check the OpenSSL and upgrade it for you.

We are happy that many companies have decided to deprecate SHA-1 and we have also taken steps to do this on our end. A SHA-1 purge like this one should have started years ago but sadly the SSL distribution system that the Internet uses right now is not perfect. And until we make it better we have to protect our users and do anything within our reach to prevent security issues.